b'   October 03, 2002\n\n\n\n\nInformation\nTechnology\nInformation Resource Management\nat the Army Aviation and Missile\nCommand\n(D-2003-002)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Information and Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800) 424-\n  9098; by sending an electronic message to Hotline@dodig.osd.mil; or by writing to\n  the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The identity of\n  each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAMCOM                Army Aviation and Missile Command\nCIO                  Chief Information Officer\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-002                                              October 3, 2002\n  (Project No. D2001AL-0173)\n\n                  Information Resource Management at the\n                    Army Aviation and Missile Command\n\n                               Executive Summary\n\nWho Should Read This Report and Why? Chief Information Officers and others\nwho manage information technology resources within DoD should read this report\nbecause the issues identified may be applicable across DoD.\n\nBackground. This audit was initiated in response to a Hotline allegation that the Army\nAviation and Missile Command (the Command) was not properly managing information\nresources at the Redstone Arsenal, Huntsville, Alabama. The Command develops,\nacquires, fields, and sustains aviation and missile systems for Army battlefield systems\nand provides support services to more than 40 tenants co-located at the Redstone\nArsenal and the surrounding area. For FY 2001, the Command budget at the Redstone\nArsenal exceeded $7.1 billion, and identified costs for information technology were\nestimated to be as much as $126 million.\n\nResults. The Command was not effectively managing information resources at the\nRedstone Arsenal. Although the Chief Information Officer was engaged in the\nCommand\xe2\x80\x99s investment and architecture strategy, information technology purchases of\nmore than $1.5 million were not coordinated and deliverables did not meet software and\naccreditation standards. The Command must allow the Chief Information Officer to\nbecome more involved in the business decision processes of its organizations when they\nacquire information technology. In addition, untrained personnel made quality\nacceptance recommendations for more than $11.5 million in purchases; purchase card\nholders made more than $1 million in unapproved acquisitions; and the Command did\nnot realize a potential $431,000 annual cost avoidance by combining modules of similar\nsystems. Management controls need to be put in place to ensure that personnel who\nmake quality acceptance recommendations for purchases receive training in basic\ninformation technology concepts and to ensure that only approved cardholders acquire\ninformation technology products and services. Further, the Command needs to reassess\nthe feasibility and cost effectiveness of combining similar system modules.\n\nThe Command\xe2\x80\x99s management control evaluation for information management did not\ninclude all resources at the Redstone Arsenal. Further, when a Chief Information\nOfficer-sponsored information technology study reported that the Command was not\nfollowing best practices, the Command chose not to report the material weaknesses or\nthe actions that it was taking to correct the weaknesses in its FY 2001 Annual Statement\nof Assurance. The Command needs to evaluate all information management and\ninformation technology functions of Redstone Arsenal and report actions to correct any\nmaterial weaknesses in its FY 2002 Statement of Assurance. For details of the audit\nresults and recommendations, see the Finding section of the report. For a discussion of\nthe allegation, see Appendix C.\n\x0cManagement Comments and Audit Response. The Chief of Staff, Army Materiel\nCommand, responding for the Commanding General, Army Aviation and Missile\nCommand, generally concurred with the recommendations. The Command will\ndevelop a curriculum and provide training for evaluating the quality of information\ntechnology purchases within 3 to 6 months. Also, the Command will develop an\nautomated system for managing information technology requirements and purchase card\ntransactions. Further, the Command believes that existing controls and the\ncomprehensive Information Management Master Plan that it developed in April 2002\nwill increase the Chief Information Officer\xe2\x80\x99s involvement in information technology\ninitiatives. However, the Command stated that combining modules of similar systems\nwas not feasible or cost-effective. In addition, the Command stated that it only reports\nmanagement control weaknesses that it cannot readily correct in its statements of\nassurance. Accordingly, after re-evaluating recommendations made in the FY 2001\ninformation technology study, the Command will report weaknesses that cannot be\ncorrected. See the Finding section of the report for a discussion of management\ncomments and the Management Comments section for the complete text of the\ncomments.\n\nThe comments did not fully meet the intent of the recommendations. Existing controls\nand the April 2002 Information Management Master Plan will not ensure that the Chief\nInformation Officer is involved in all information technology initiatives. The Master\nPlan is a strategy only, and additional control guidance will be required to establish\nprocedures for reviews and evaluations by the Chief Information Officer. Also, the\nCommand\xe2\x80\x99s decision and justifications for not combining modules of similar systems\nwere not documented and communicated to the involved Command organizations.\nAfter the decision was made, an involved organization believed that the combination\nwas feasible. Further, the Command\xe2\x80\x99s practice of selectively reporting management\ncontrol weaknesses in statements of assurance does not comply with Army guidance.\nInformation technology is a DoD high-risk area. Therefore, the FY 2001 information\ntechnology study results should have been elevated to the Army Materiel Command.\nAdditionally, the Command did not provide an implementation date for its planned\nrequirements and purchase card transaction management system for information\ntechnology. We request that the Army reconsider its position on the recommendations\nand provide additional comments by December 3, 2002.\n\n\n\n\n                                           ii\n\x0cTable of Contents\nExecutive Summary                                                        i\n\nBackground                                                               1\n\nObjectives                                                               1\n\nFinding\n     Managing Army Aviation and Missile Command Information Resources    2\n\nAppendixes\n     A. Scope and Methodology                                           11\n          Management Control Program Review                             13\n          Prior Coverage                                                13\n     B. Mandatory Guidance                                              14\n     C. Validation of Assertions Made in the Hotline Allegation         17\n     D. Information Resource Management at Redstone Arsenal             19\n     E. Report Distribution                                             21\n\nManagement Comments\n     Department of the Army                                             23\n\x0cBackground\n           We performed this audit in response to a Defense Hotline referral. The\n           anonymous source alleged that the Army Aviation and Missile Command\n           (AMCOM), located at the Redstone Arsenal, Huntsville, Alabama, was not\n           properly managing information resources. The report discusses the quality of\n           AMCOM information management and addresses the validity of the claims raised\n           by the anonymous source. See Appendix C for details on the validation of\n           assertions made in the Hotline Allegation.\n\n           AMCOM develops, acquires, fields, and sustains aviation and missile systems to\n           guarantee the readiness and technological superiority of Army battlefield\n           systems. AMCOM Directorates and Centers implement that mission and\n           provide support services to more than 40 tenants co-located at the Redstone\n           Arsenal and the surrounding area. For FY 2001, the AMCOM budget at the\n           Redstone Arsenal exceeded $7.1 billion. The AMCOM Corporate Information\n           Center, under the direction of the Chief Information Officer (CIO), designs,\n           develops, implements, and maintains all aspects of information management and\n           technology at the Redstone Arsenal. For FY 2001, identified AMCOM costs\n           for information technology were estimated to be as much as $126 million.\n\nObjectives\n           The audit evaluated the management of information resources at AMCOM.\n           Specifically, the audit determined whether AMCOM was managing information\n           resources in accordance with Office of Management and Budget and DoD\n           guidance. Further, the audit was to determine whether AMCOM had\n           reengineered its business processes in response to planned system deployments\n           of the Army\xe2\x80\x99s Wholesale Logistics Modernization Plan.1 However, after we\n           announced our objective, we determined that AMCOM had not reengineered its\n           business processes because applications for the Army Wholesale Logistics\n           Modernization Plan had not been completed. Also, we reviewed the\n           management control program related to the objectives. See Appendix A for a\n           discussion of the audit scope and methodology and the review of the\n           management control program.\n\n\n\n\n1\n    The Wholesale Logistics Modernization Plan is a 10-year, $680 million initiative that replaces the\n    Army\xe2\x80\x99s Command Commodity Standard System and Standard Depot System with commercial-off-the-\n    shelf applications that are operated and maintained by the Computer Sciences Corporation.\n\n                                                     1\n\x0c           Managing Army Aviation and Missile\n           Command Information Resources\n           The AMCOM Chief Information Officer (CIO) was not effectively\n           managing information resources because the Commanding General\xe2\x80\x99s\n           organizational elements and tenants at the Redstone Arsenal acquired\n           information technology without engaging the CIO and the Corporate\n           Information Center in their information management decisions. As a\n           result, the Command allowed:\n\n           \xe2\x80\xa2   personnel who had no information technology training to make\n               quality review recommendations for the acceptance of more than\n               $11.5 million in information technology deliverables during\n               FY 2001;\n\n           \xe2\x80\xa2   organizational elements and tenants to purchase more than\n               $1.5 million for information technology products and services in\n               FY 2001 without being reviewed by the Corporate Information\n               Center;\n\n           \xe2\x80\xa2   unapproved purchase card holders to obtain more than $1 million in\n               information technology products during FY 2001;\n\n           \xe2\x80\xa2   an uncertified and unaccredited hardware installation that resulted in\n               a security breach;\n\n           \xe2\x80\xa2   the purchase of a training module that did not comply with software\n               standards for people with disabilities; and\n\n           \xe2\x80\xa2   a potential annual cost avoidance opportunity, estimated to be as\n               much as $431,000, to be missed by not combining the Automated\n               Resource Management System and the Integrated Center Information\n               System.\n\n    Also, the AMCOM management control evaluation for information management\n    did not include all resources managed and funded by organizational elements\n    and tenants at the Redstone Arsenal. Further, when a CIO-sponsored\n    information technology study reported that AMCOM was not following best\n    practices for the information management and information technology functions,\n    AMCOM chose not to report the material weaknesses cited in the study or the\n    actions that it was taking to correct the weaknesses to the Army Materiel\n    Command in its FY 2001 Annual Statement of Assurance.\n\nMandatory Guidance\n    Office of Management and Budget and DoD guidance implement the Clinger-\n    Cohen Act of 1996 by providing managers with policies and procedures for\n    managing and safeguarding information resources and for evaluating\n\n                                        2\n\x0c        management controls. Further, Army and AMCOM regulations state that\n        information must be managed as any other asset, with CIO involvement in\n        decisions affecting information technology equipment, systems, software,\n        services, or alternative solutions. Also, the General Accounting Office has\n        identified the management of information technology investments as a high-risk\n        area for the DoD. Appendix B describes the guidance relating to the\n        management of information resources at the Redstone Arsenal.\n\nMonitoring Information Management\n        At AMCOM, the span of management control for the CIO does not extend\n        beyond the Corporate Information Center. As a result, AMCOM organizations\n        and tenants manage and fund mission-related information resources without\n        engaging the CIO and the Corporate Information Center in their information\n        technology decisions. Therefore, the CIO did not directly manage and control a\n        significant portion of information technology funds. We estimated2 that about\n        $44 million, or 35 percent, of the FY 2001 funds for information technology\n        was not controlled by the CIO. Further, except for the Corporate Information\n        Center, expenditures for information technology were included with\n        expenditures for other mission activities and therefore were not fully\n        identifiable. Appendix D demonstrates the extent of information technology\n        resources maintained and controlled by AMCOM organizational elements and\n        major tenant organizations.\n\nBenchmark Study\n        A benchmark study3 sponsored by the CIO concluded that AMCOM information\n        resources were not being efficiently and effectively managed due to limited\n        support from the Command\xe2\x80\x99s senior management. The $99,916 study,\n        conducted between June 2000 and March 2001, found the following conditions\n        at AMCOM.\n                 \xe2\x80\xa2   Multiple formal and informal information technology organizations\n                     existed that operated outside the purview of the CIO-managed\n                     Corporate Information Center.\n\n                 \xe2\x80\xa2   Independent network and computer ownership resulted in chaotic and\n                     inefficient support.\n\n                 \xe2\x80\xa2   Systems were implemented without Corporate Information Center\n                     input and, when migrated to the Center, would require support from\n                     untrained personnel.\n\n\n2\nEstimate is based on discussions with personnel responsible for information resource management at\nAMCOM and tenant organizations and reviews of information technology contracts.\n3\n \xe2\x80\x9cU.S. Army Aviation and Missile Command Distributed Computing Environment (DCE) Benchmark\nStudy,\xe2\x80\x9d March 28, 2001, prepared for AMCOM by the Harris Corporation.\n\n                                                  3\n\x0c            \xe2\x80\xa2   Existing infrastructure support was inadequate with little hope of\n                scaling up to meet future needs.\n\n            \xe2\x80\xa2   The Corporate Information Center was unable to meet current\n                demands due to resources being extended for other priorities.\n\n            \xe2\x80\xa2   The Corporate Information Center was attempting to manage\n                multiple generations of assets with limited staff and training.\n\n            \xe2\x80\xa2   Help Desk assistance was inadequate for customer information\n                technology support.\n\n            \xe2\x80\xa2   Asset management did not allow efficient tracking and use of\n                resources.\n     In response to the study, AMCOM formed integrated process teams, chaired by\n     the CIO, to systematically analyze and find solutions to the identified issues.\n     The Business Information Management Planning Board drafted an Information\n     Management Master Plan, and the Information Technology Team developed\n     guidance for information technology best business practices and processes.\n\n             Information Management Master Plan. The AMCOM Information\n     Management Master Plan provides the Command with guidance for\n     implementing information management goals and objectives. The document was\n     a collaborative effort of all the AMCOM major organizational elements and\n     placed the CIO at the top of the AMCOM information management chain.\n\n             Best Business Practices. The Information Technology Team identified\n     five business cases or areas of improvement. The most significant case\n     addresses architecture for hardware and software, and processes that should be\n     changed to achieve the standardization objective. The team planned to complete\n     policies and procedures for implementation by July 2002. Further, the team\n     will continually meet to discuss the identified business areas.\n\n     Although AMCOM took actions as a result of the benchmark study,\n     organizational elements and tenants at the Redstone Arsenal did not always\n     engage the CIO and the Corporate Information Center in information\n     management decisions.\n\nInformation Technology Acquisitions\n     Our analysis of the assertions made in the Defense Hotline allegation (see\n     Appendix C) showed that the Commanding General and the CIO had limited\n     oversight of information products and services received by AMCOM\n     organizational elements and tenants. As a result, personnel untrained in\n     information technology made quality acceptance recommendations for\n     deliverables received from the Information Mission Area Support Services\n     Contract; organizations did not coordinate information technology requirements\n     with the Corporate Information Center as required; purchase card holders made\n\n\n                                         4\n\x0c           unauthorized information technology acquisitions; deliverables did not conform\n           to information technology and security standards; and AMCOM did not realize a\n           potential recurring cost avoidance.\n\n           Information Mission Area Support Services Contract. Technical acceptances\n           of services obtained from the Information Mission Area Support Services\n           Contract4 relied on evaluations made by technical monitors; however, not all\n           monitors were trained in information technology. We determined that AMCOM\n           did not provide 31 of the 48 assigned technical monitors with information\n           technology training or guidance for evaluating the quality of deliverable\n           services. As a result, in FY 2001, more than half the funds obligated for\n           information support services were recommended for acceptance by personnel\n           who had no formal training in information technology. Cumulatively, these\n           contracted deliverables amounted to more than $11.5 million of the $23 million\n           invested for information mission area support services.\n\n           Coordination of Requirements. Contrary to AMCOM Regulation 25-4,\n           \xe2\x80\x9cInformation Management,\xe2\x80\x9d June 9, 1999, requirements for information\n           services and products were not always coordinated with the CIO and the\n           Corporate Information Center. AMCOM Regulation 25-4 requires CIO\n           approval before organizational elements purchase information technology for\n           business systems. Without that coordination, the CIO and the Corporate\n           Information Center were unaware of the extent and the quality of information\n           technology acquired by AMCOM organizational elements and tenants.\n\n                  Aviation and Missile Research, Development and Engineering Center\n           Contract. Information technology services obtained through the Aviation and\n           Missile Research, Development, and Engineering Center Contract5 were not\n           always reviewed by the CIO and the Corporate Information Center. Of eight\n           orders for information technology services issued between March 2001 and\n           November 2001, only one, valued at $19,995, was coordinated through the\n           Corporate Information Center. Cumulatively, the seven orders that were not\n           coordinated totaled more than $1.5 million. According to responsible\n           personnel, coordination was not required for the information technology\n           requirements within the Aviation and Missile Research, Development, and\n           Engineering Center.\n                  Purchase Card Acquisitions. Personnel with purchase card privileges\n           obtained information technology products without prior approvals from the\n           Deputy CIO. AMCOM Regulation 25-4 requires that cardholders receive\n           annual authorizations to purchase information technology products. A\n           comparison of FY 2001 information technology transactions to approvals\n           showed that eight cardholders had purchased information technology products\n\n4\n    A 5-year, cost-plus-fixed-fee contract awarded to Nichols Colsat Information Management of Huntsville,\n    Alabama, for automation, telecommunications, visual information, and records management services.\n5\n    A cost-reimbursable, $12.3 million no-fee contract awarded in March 2001 to the University of Alabama\n    in Huntsville for system engineering and advanced weapon system and manufacturing technology\n    support used by the Research, Development, and Engineering Center.\n\n                                                     5\n\x0cwithout obtaining prior authorizations. Our analysis of the transactions made by\nseven of those cardholders, showed that:\n\n       \xe2\x80\xa2   two cardholders had expired authorizations,\n\n       \xe2\x80\xa2   two cardholders believed that authorizations to purchase information\n           technology products extended to them when another person in their\n           office had received approval, and\n\n       \xe2\x80\xa2   three cardholders were unaware of the AMCOM requirement to\n           obtain an approval to purchase information technology products.\n\nCumulatively, the eight cardholders made 332 transactions and acquired\ninformation technology software, hardware, and services worth more than\n$1 million in FY 2001. One cardholder made 177 purchases totaling more than\n$589,000. We concluded that those purchases went undetected because\nAMCOM had not implemented a management control procedure to screen\npurchase card transactions for information technology software, hardware, and\nservices. Our analysis of credit card transactions was limited to identifying\nthose personnel who were using credit cards to purchase information technology\nproducts and determining whether those personnel had obtained authorizations to\npurchase information technology. We did not perform tests to determine\nwhether the credit card purchases were justified.\n\nArmy Regulation 380-19, \xe2\x80\x9cInformation Systems Security,\xe2\x80\x9d February 27, 1998,\nrequires that automated information systems be certified and accredited for\ninformation assurance before being deployed. Unaware of the requirement, the\nCommand Analysis Directorate used a purchase card to obtain a graphics writer\nfor $14,013 and connected it to the Redstone Arsenal campus area network. In\nOctober 2001, an Army computer emergency response team outside the\nCommand found that the installed writer allowed an undetected intrusion to its\nstored files. According to AMCOM security personnel, violations of the\ncampus area network may have occurred. Without a process for monitoring\npurchase card transactions, security personnel were unaware of the presence of\nthe graphics writer until notified of the breach.\n        Training Module. The Intelligence and Security Directorate acquired a\nsecurity awareness training module for $59,659 without allowing the Corporate\nInformation Center an opportunity to evaluate the contract. When the Corporate\nInformation Center reviewed the deliverable for compatibility with the campus\narea network, the module had to be modified because it did not comply with\nFederal standards for people with disabilities. According to Office of\nManagement and Budget Circular A-130, \xe2\x80\x9c Management of Federal Information\nResources,\xe2\x80\x9d November 30, 2000, agencies must ensure that persons with\ndisabilities have reasonable access to information products.\n\nResource Management Systems. Similar information systems for managing\nresources were operated, maintained, and continually upgraded at AMCOM. In\nSeptember 1998, a joint cost analysis team from the Research Development and\nEngineering Center and the Corporate Information Center concluded that\nAMCOM would avoid as much as $431,000 annually by combining modules\n                                   6\n\x0c     from their resource management systems. However, the Deputy Director of the\n     Research Development and Engineering Center recommended delaying action\n     pending further study. As of November 2001, the modules had not been\n     combined. Further, AMCOM officials could not find documentation to show\n     that additional study had resumed in response to the recommendation.\n\nManagement Control Evaluations and Reports\n     Management control reviews and reports did not demonstrate that AMCOM had\n     effectively managed risks for the information management function. Army\n     Regulation 11-2, \xe2\x80\x9cManagement Control,\xe2\x80\x9d August 1, 1994, requires\n     commanders and managers to establish and maintain effective management\n     controls, assess areas of risk, identify and correct weaknesses, and report\n     weaknesses to the next higher level of command. In addition, Regulation 11-2\n     requires managers to give high priority to weaknesses in identified high-risk\n     areas. Also, Army Regulation 25-1, \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d\n     February 15, 2000, provides a checklist to evaluate management controls for\n     information management and information technology functions.\n\n     The General Accounting Office has identified the management of information\n     technology investments as a high-risk area for the DoD. AMCOM evaluated\n     information system security in FY 1999 and found that insufficient funding\n     delayed program implementation. In its FY 2000 and FY 2001 Statements of\n     Assurance, AMCOM reported the delayed implementation as an uncorrected\n     material weakness. However, when AMCOM evaluated management controls\n     for information management and information technology in FY 2000, it limited\n     its review to the Corporate Information Center, excluding information resources\n     that were functionally managed and funded by other organizational elements and\n     tenants. Further, when the CIO-sponsored benchmark study of information\n     management found that AMCOM was not following information technology best\n     practices, AMCOM chose not to report the material weaknesses cited in the\n     study or the actions it was taking to correct these weaknesses to the Army\n     Materiel Command in its FY 2001 Annual Statement of Assurance.\n\nSummary\n     At AMCOM, the mission function of collecting, storing, and reporting\n     information extends beyond the Corporate Information Center. Although the\n     CIO initiated actions to develop and implement a Command strategy for\n     information management investments and architecture for hardware and\n     software, the CIO and the Corporate Information Center were not always\n     engaged in decisions affecting the acquisition and operation of information\n     resources. Accordingly, the CIO and the Corporate Information Center must\n     become involved in the business decision processes of AMCOM and tenant\n     organizations to effectively manage and oversee their information technology\n     resources.\n\n\n\n\n                                        7\n\x0cManagement Comments on the Finding\n    The Chief of Staff, Army Materiel Command stated that he considered the\n    report\xe2\x80\x99s finding and recommendations to be generally true throughout DoD and\n    across many government agencies. Further, he believed that the new Army\n    Knowledge Management directives will resolve reported issues.\n\nRecommendations, Management Comments, and Audit\n Response\n    We recommend that the Commanding General, Army Aviation and Missile\n    Command:\n\n           1. Provide technical monitors with training and guidance in the\n    basic information technology concepts necessary to evaluate the\n    acceptability of products and services obtained from the Information\n    Mission Area Support Services Contract.\n\n    Management Comments. The Chief of Staff, Army Materiel Command,\n    responding for the Commanding General, Army Aviation and Missile\n    Command, generally concurred with the recommendation. The Army Aviation\n    and Missile Command plans to develop a curriculum and provide training for\n    evaluating the quality of information technology services. The Command\n    anticipates implementing the training within 3 to 6 months.\n\n           2. Establish controls to ensure that the Army Aviation and Missile\n    Command and tenant organizations engage the Chief Information Officer in\n    business system acquisitions of information technology in accordance with\n    Army Aviation and Missile Command Regulation 25-4, \xe2\x80\x9cInformation\n    Management.\xe2\x80\x9d\n\n    Management Comments. The Chief of Staff, Army Materiel Command\n    concurred with the intent of the recommendation. The Chief of Staff stated that\n    the Army Aviation and Missile Command developed a comprehensive\n    Information Management Master Plan in April 2002 to strengthen controls. The\n    plan, in conjunction with existing procedures, will enable the Chief Information\n    Officer to become more involved in reviews and evaluations of information\n    technology initiatives.\n\n    Audit Response. The comments are partially responsive. The Army Aviation\n    and Missile Command continues to assume that the Chief Information Officer\n    will review and evaluate all information technology initiatives as a result of its\n    existing controls and the April 2002 Information Management Master Plan. The\n    audit demonstrated that multiple information technology organizations exist\n    outside the direct control of the Chief Information Officer. Further, the\n    Information Management Master Plan is a strategy and not a business process\n    procedure. Without additional control guidance, we believe that Command\n    organizations will not always engage the Chief Information Officer in business\n                                        8\n\x0cdecisions affecting information technology. Therefore, we request that the\nArmy reconsider its position on this recommendation and provide additional\ncomments in response to the final report.\n\n       3. Screen purchase card transactions to ensure that information\ntechnology products and services are acquired by approved cardholders.\n\nManagement Comments. The Chief of Staff, Army Materiel Command\nconcurred and stated that the Army Aviation and Missile Command is\ndeveloping an automated system that will manage information technology\nrequirements and purchase card transactions.\n\nAudit Response. The planned action satisfies the intent of the recommendation.\nHowever, the Army needs to provide a system completion date in response to\nthe final report.\n\n      4. Reassess the identified annual cost avoidance opportunity of\ncombining the Automated Resource Management System and Integrated\nCenter Information System modules.\n\nManagement Comments. The Chief of Staff, Army Materiel Command\nnonconcurred and stated that in September 1998 the Army Aviation and Missile\nCommand determined that the combination of system modules was not feasible\nor cost-effective.\n\nAudit Response. The Army Aviation and Missile Command could not provide\ndocumentation supporting its decision not to combine the system modules.\nFurther, subsequent correspondence within the Command, dated January 8,\n1999, stated that the combination was feasible and that a final decision had not\nbeen made. Therefore, we request that the Army reconsider its position on this\nrecommendation and provide additional comments in response to the final\nreport.\n\n       5. Report the actions taken to correct weaknesses in information\nmanagement and information technology best practices contained in the\n\xe2\x80\x9cU.S. Army Aviation and Missile Command Distributed Computing\nEnvironment (DCE) Benchmark Study\xe2\x80\x9d in the Aviation and Missile\nCommand FY 2002 Statement of Assurance and subsequent statements until\nactions are completed.\n\nManagement Comments. The Chief of Staff, Army Materiel Command\nconcurred with the intent of the recommendation and stated that the Army\nAviation and Missile Command is reevaluating the recommendations made in\nthe Benchmark Study and that material weaknesses, which cannot be readily\ncorrected, will be reported through proper channels.\n\nAudit Response. The comments are partially responsive. Because information\ntechnology is recognized as a DoD high-risk area, the Army Aviation and\nMissile Command should report the Benchmark Study results and the\nsubsequent actions taken to improve information technology business practices\n\n                                    9\n\x0cto the Army Materiel Command in its statements of assurance. Therefore, we\nrequest that the Army provide additional comments in response to the final\nreport.\n\n      6. Evaluate all Redstone Arsenal information management and\ninformation technology functions and report any material weakness in the\nArmy Aviation and Missile Command FY 2002 Statement of Assurance.\n\nManagement Comments. The Chief of Staff, Army Materiel Command\nconcurred with the intent of the recommendation. He stated that the Chief\nInformation Officer at the Army Aviation and Missile Command has implemented\nand improved many information management business processes to allow better\nmanagement controls and accountability of information technology resources. In\naddition, the Army Aviation and Missile Command will continue to review\nexisting information technology processes and report material weaknesses that it\ncannot correct.\n\nAudit Response. The Army Aviation and Missile Command\xe2\x80\x99s practice of\nselectively reporting only weaknesses that it cannot correct in statements of\nassurance is contrary to Army guidance. Army management control guidance\nrequires commanders and managers to keep superiors informed and to identify\nand correct weaknesses in known high-risk areas. Therefore, we request that\nthe Army reconsider its position on this recommendation and provide additional\ncomments in response to the final report.\n\n\n\n\n                                  10\n\x0cAppendix A. Scope and Methodology\n   We reviewed documentation dated from July 1997 through February 2002. To\n   accomplish the audit objective we:\n         \xe2\x80\xa2 Interviewed officials and obtained documentation from the Office of\n             the Army Director of Information Systems for Command, Control,\n             Communications, and Intelligence; the Army Materiel Command; the\n             Army Space and Missile Defense Command; the Program Executive\n             Office Air and Missile Defense; the Program Executive Office\n             Tactical Missiles; and AMCOM.\n         \xe2\x80\xa2 Reviewed the AMCOM Distributed Computing Environment\n             Benchmark Study, March 2001.\n         \xe2\x80\xa2 Reviewed the cost analysis that addressed combining the Integrated\n             Center Information System and the Automated Resource\n             Management System as a single resource management system in\n             support of AMCOM.\n\n         \xe2\x80\xa2   Analyzed technical direction orders applicable to the AMCOM\n             Information Mission Area Support Services Contract to determine\n             requiring organizations and technical monitors responsible for\n             accepting information technology deliverables totaling more than\n             $22 million in FY 2001.\n\n         \xe2\x80\xa2   Reviewed eight technical direction orders at a cumulative cost of\n             more than $1.5 million for information technology services issued\n             between March and November 2001 by the Aviation and Missile\n             Research, Development, and Engineering Center.\n\n         \xe2\x80\xa2   Reviewed the purchase of a $59,659 training module by the\n             AMCOM Intelligence and Security Directorate.\n\n         \xe2\x80\xa2   Reviewed the $14,012 purchase card acquisition for a graphics writer\n             by the AMCOM Command Analysis Directorate.\n\n         \xe2\x80\xa2   Reviewed the AMCOM Information Management Master Plan.\n\n         \xe2\x80\xa2   Reviewed Program Budget Decision No. 704 \xe2\x80\x9cFinancial\n             Management Modernization Program.\xe2\x80\x9d\n\n         \xe2\x80\xa2   Reviewed the AMCOM FY 2001 Obligations.\n\n         \xe2\x80\xa2   Analyzed a $40 million listing of AMCOM FY 2001 credit card\n             transactions to identify information technology purchases.\n\n         \xe2\x80\xa2   Reviewed AMCOM Information System Security processes and\n             procedures.\n\n\n                                     11\n\x0c       \xe2\x80\xa2   Evaluated the adequacy of management controls related to the\n           management of information technology at AMCOM.\n\n       \xe2\x80\xa2   Contacted Department of Army, Army Materiel Command, and\n           officials responsible for the management of information resources\n           and internal management controls at AMCOM. In addition, we\n           contacted persons responsible for the acquisition of information\n           resources at Redstone Arsenal including chief information officers\n           from AMCOM and tenant organizations, contracting officer technical\n           representatives, a contracting officer representative, technical\n           monitors, budget analysts, and other AMCOM personnel who were\n           involved with specific information technology acquisitions.\n\nWe conducted this audit from September 2001 through June 2002 in accordance\nwith generally accepted government auditing standards. Except for the\nCorporate Information Center, AMCOM costs for acquiring, collecting, storing,\nand reporting information were not readily identifiable because funds were\ncommingled with budgeted costs of other organizations and tenants. Therefore,\nwe relied on discussions with knowledgeable personnel and reviews of contracts\nfor estimating information technology costs.\n\nUse of Computer-Processed Data. We relied on computer-processed data to\ncompare FY 2001 purchase card transactions for information technology to a list\nof authorized cardholders. Because the scope of our review was limited to\nidentifying information technology transactions, we did not evaluate overall\ncontrols for the Purchase Card Management System.\n\nGeneral Accounting Office High-Risk Area. The General Accounting Office\nhas identified several high-risk areas in the DoD. This report provides coverage\nof the Information Security and Defense Systems Modernization high-risk areas\nto include Information Management.\n\n\n\n\n                                   12\n\x0cManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n    Scope of the Review of the Management Control Program. We reviewed the\n    adequacy of AMCOM management controls for information resources at the\n    Redstone Arsenal. Specifically, we reviewed controls for coordinating and\n    overseeing information management plans and actions made by organizational\n    elements and tenants. Further, we reviewed the self-evaluation applicable to\n    those controls.\n\n    Adequacy of the Management Controls. We identified material management\n    control weaknesses as defined by DoD Instruction 5010.40. Controls for\n    information management were not adequate to ensure that applied resources for\n    acquiring information technology products were effectively and efficiently\n    managed in accordance with Office of Management and Budget, DoD, and\n    Army guidance. Implementation of the recommendations to provide\n    information technology training and guidance to technical monitors, to comply\n    with the requirement to engage the CIO in acquisitions of information\n    technology, and to screen purchase card transactions should correct the\n    weaknesses. A copy of the report will be sent to the senior official in charge of\n    management controls for the Army Materiel Command and AMCOM.\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. AMCOM conducted self-\n    evaluations by organizational element rather than functional area. As a result,\n    when AMCOM performed its self-evaluation of management controls for\n    information resources, the review was limited to the Corporate Information\n    Center and excluded information resources managed and funded by other\n    organizational elements and tenants. Further, when a benchmark study reported\n    that AMCOM had not followed information management and information\n    technology best practices, AMCOM did not consider the study results to be\n    material and chose not to report them to the Army Materiel Command even\n    though information management is a designated DoD high-risk area.\n\nPrior Coverage\n    During the last 5 years, no reports addressing the Management of Information\n    Resources at AMCOM have been issued.\n\n\n\n\n                                        13\n\x0cAppendix B. Mandatory Guidance\n\nOffice of Management and Budget Guidance\n     Office of Management and Budget Circular A-123. Office of Management\n     and Budget Circular A-123, June 21, 1995, defines management controls as the\n     organization, policies, and procedures used to reasonably ensure that:\n\n            \xe2\x80\xa2   programs achieve their intended results;\n\n            \xe2\x80\xa2   resources are used consistent with agency mission;\n            \xe2\x80\xa2   programs and resources are protected from waste, fraud, and\n                mismanagement;\n\n            \xe2\x80\xa2   laws and regulations are followed; and\n\n            \xe2\x80\xa2   reliable and timely information is obtained, maintained, reported, and\n                used for decision making.\n\n     The Circular explains that management controls guarantee neither the success of\n     agency programs nor the absence of waste, fraud, and mismanagement, but they\n     are a means of managing the risk associated with Federal programs and\n     operations.\n\n     Office of Management and Budget Circular A-130. Office of Management\n     and Budget Circular A-130, \xe2\x80\x9c Management of Federal Information Resources,\xe2\x80\x9d\n     November 28, 2000, implements numerous public laws, including the Clinger-\n     Cohen Act of 1996, that address the acquisition, management, and security of\n     Federal information resources. The Circular defines information resources as\n     both Government information and information technology. It states that CIOs\n     must:\n\n            \xe2\x80\xa2   participate actively in the development, implementation, and\n                maintenance of strategic and operational plans,\n\n            \xe2\x80\xa2   participate actively throughout the budget process in establishing\n                priorities for agency information resources,\n\n            \xe2\x80\xa2   advise the agency head on the design, development, and\n                implementation of information resources,\n\n            \xe2\x80\xa2   monitor and evaluate the performance of information resource\n                investments and advise the agency head on whether to continue,\n                modify, or terminate a program or project, and\n\n            \xe2\x80\xa2   monitor compliance with guidance in the Circular.\n\n\n                                         14\n\x0c    In addition, the Circular requires Federal agencies to:\n\n           \xe2\x80\xa2   Develop a well-trained corps of information resource professionals,\n\n           \xe2\x80\xa2   Ensure that improvements to existing information systems and the\n               development of planned information systems do not unnecessarily\n               duplicate information technology capabilities, and\n\n           \xe2\x80\xa2   Ensure that information technology is accessible to individuals with\n               disabilities.\n\n    Further, Appendix III requires Federal agencies to establish management\n    controls to ensure adequate security for all information processed, transmitted,\n    or stored in Federal automated information systems and to conduct periodic\n    security reviews to determine the effectiveness of controls.\n\nDoD Guidance\n    DoD Directive 5010.38. DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC)\n    Program,\xe2\x80\x9d August 26, 1996, establishes the DoD program for management\n    controls and implements Office of Management and Budget Circular A-123.\n\n    DoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9c Security Requirements for\n    Automated Information Systems,\xe2\x80\x9d March 21, 1988, implements the security\n    safeguard provisions of Office of Management and Budget Circular A-130.\n\n    DoD Instruction 5200.40. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process,\xe2\x80\x9d December 30,\n    1997, implements DoD Directive 5200.28, assigns responsibilities, and\n    prescribes procedures for certification and accreditation of automated\n    information systems, networks, and sites.\n\nArmy Guidance\n    Army Regulation 11-2. Army Regulation 11-2, \xe2\x80\x9cManagement Control,\xe2\x80\x9d\n    August 1, 1994, implements Office of Management and Budget and DoD\n    Guidance for the management control process. It states that all commanders and\n    managers have an inherent responsibility to establish and maintain effective\n    management controls, assess areas of risk, identify and correct weaknesses,\n    keep their superiors informed, and give high priority to weaknesses in identified\n    high-risk areas. The Regulation requires the heads of major Army commands to\n    sign an annual statement of assurance that accurately describes material\n    weaknesses and planned corrective actions. Also, a material control weakness\n    must warrant the attention of the next level of command and a corrected\n    weakness does not preclude it from being reported at the next higher level.\n\n\n\n\n                                        15\n\x0c    Army Regulation 25-1, Army Information Management. Army\n    Regulation 25-1, \xe2\x80\x9cArmy Information Management\xe2\x80\x9d February 15, 2000,\n    implements Office of Management and Budget and DoD Guidance for the\n    management and security of information resources and information technology\n    as applied to command and control systems, intelligence systems, business\n    systems, and national security systems. The Regulation:\n\n           \xe2\x80\xa2   States that, as a valuable resource, information must be managed as\n               any other asset, such as funds, personnel, and equipment.\n\n           \xe2\x80\xa2   Requires CIOs in Army subordinate organizations to provide\n               management oversight for information technology investments and to\n               serve as the senior information management official.\n           \xe2\x80\xa2   Requires that all information systems be subjected to an established\n               certification and accreditation process for verifying that information\n               assurance is achieved and sustained.\n\n           \xe2\x80\xa2   Provides a checklist to evaluate management controls for information\n               management and information technology functions.\n\n    Further, the Regulation states that information systems integration throughout an\n    organization generally reaps efficiency dividends among functional areas.\n\n    Army Regulation 380-19. Army Regulation 380-19, \xe2\x80\x9cInformation Systems\n    Security,\xe2\x80\x9d February 27, 1998, implements DoD Guidance governing\n    information security. The Regulation requires that system administrators be\n    trained in all aspects of information system security. Further, the Regulation\n    requires that before operation, each automated information system be certified\n    and accredited for security requirements and safeguards, and be approved by the\n    information system security manager (or officer).\n\nAMCOM Guidance\n    AMCOM Regulation 25-4. AMCOM Regulation 25-4, \xe2\x80\x9cInformation\n    Management,\xe2\x80\x9d June 9, 1999, implements Army guidance for the management\n    and security of information resources applicable to command and control,\n    intelligence, business, and national security systems. The AMCOM Regulation\n    requires CIO approval to purchase information technology products and services\n    and prescribes the process that organizations and tenants must follow to\n    coordinate their information technology purchases with the CIO. In addition,\n    the Regulation requires purchase cardholders to obtain annual Deputy CIO\n    authorization before purchasing information technology products.\n\n\n\n\n                                        16\n\x0cAppendix C. Validation of Assertions Made in\n            the Hotline Allegation\nAn allegation made to the DoD Hotline by an anonymous source asserts that the Army\nAviation and Missile Command (AMCOM), located at the Redstone Arsenal, Huntsville,\nAlabama, had mismanaged information resources. The following discussion summarizes\nthe assertions made in the allegation and addresses their validity.\n\nAssertion 1. AMCOM allowed its Centers, Directorates, and tenants to acquire and\nmanage information technology resources without coordinating actions with the\nChief Information Officer (CIO) and the Corporate Information Center.\nResponse. The assertion was valid. The CIO and the Corporate Information Center\ndid not always review the information technology requirements that AMCOM\norganizational elements and tenants subsequently acquired.\n\nAssertion 2. AMCOM obtained information technology with untrained personnel.\n\nResponse. The assertion was valid. Technical monitors who had no information\ntechnology training made quality assessment recommendations for deliverable products\nreceived from the Information Mission Area Support Services Contract.\n\nAssertion 3. AMCOM did not empower its CIO to select, control, and oversee\ncommand and area-wide information technology investments and operations.\n\nResponse. The assertion was not valid. AMCOM Regulation 25-4, \xe2\x80\x9cInformation\nManagement,\xe2\x80\x9d June 9, 1999, does empower the CIO. Although it does not specifically\nstate that the CIO manages information resources at the Redstone Arsenal, the\nRegulation provides procedures that engage the CIO in the Command\xe2\x80\x99s areawide\ninformation management business processes.\n\nAssertion 4. AMCOM acquired software applications that will be replaced in 2002\nwhen the Army deploys the Wholesale Logistics Modernization Plan.\n\nResponse. The assertion was not valid. Business process applications for the\nWholesale Logistics Modernization Plan have not been completed, and AMCOM has\nnot reengineered its processes or acquired software that will be replaced when the\nArmy deploys the Plan\xe2\x80\x99s applications.\n\nAssertion 5. AMCOM purchased software applications that duplicated similar\nbusiness processes.\n\nResponse. This assertion was partially valid. AMCOM does operate and maintain\nsystems that augment similar functional processes in its organizational elements.\nIn 1998, a joint analysis team determined that an annual $431,000 cost avoidance would\nresult by combining modules of two resource management information systems.\n\n\n                                         17\n\x0cHowever, action was delayed pending results from further studies. As of November\n2001, documentation could not be found indicating the resumption of additional studies.\n\nAssertion 6. AMCOM did not comply with information security guidance.\n\nResponse. The assertion was valid. Acquiring a graphics writer in 1999 with a\npurchase card, the Command Analysis Directorate connected it to the Redstone Arsenal\nCampus Network without certifying that it complied with Federal Information\nProcessing and DoD implementing information assurance requirements.\n\n\n\n\n                                          18\n\x0cAppendix D. Information Resource Management\n            at Redstone Arsenal\n                                                                                                                 Information\n                                                                                                                 Technology\n                        Extent of System                                                                            Funds\n Organization             Involvement                   Assigned Staff               Types of Services          for FY 2001\n AMCOM              Operates and maintains the    265 information technology     Operates and maintains the     $82 million \xe2\x80\x93\n Corporate          AMCOM Campus Area             professionals                  Redstone Arsenal Campus        Actual Costs\n Information        Network                                                      Area Network\n Center                                           Contracted personnel\n                                                                                 Develops and sustains\n                                                                                 functional applications\n\n                                                                                 Provides technical support\n                                                                                 to AMCOM organizations\n                                                                                 and tenants\n\n                                                                                 Maintains worldwide\n                                                                                 network connections\n AMCOM              Local area network            22 procurement analysts        Network administration         Estimated to be\n Acquisition        servers with user access to   technicians and clerks                                        as much as\n Center             database programs                                                                           $350,000\n                                                  Contracted personnel\n\n AMCOM              Local Area Network and        9 administrative personnel     Web software and database      Estimated to be\n Integrated         e-mail servers                                               applications development       as much as\n Materiel                                         2 logisticians                                                $3 million\n Management         Application servers to                                       New technology system\n Center             support its business          Contracted personnel           integration and support\n                    functions\n                                                                                 Help Desk support\n                    5 servers for the Multi-\n                    user Engineering Change\n                    Proposal Automated\n                    Review System\n AMCOM              Local Area Network and        Division focal points          Network operations             Estimated to be\n Research,          e-mail servers                                                                              as much as\n Development                                                                     Software development           $2 million\n and\n Engineering\n Center\n\n AMCOM              Connected to the Redstone     1 information technology       Network administration         Estimated to be\n Command            Arsenal Campus Area           specialist                                                    as much as\n Analysis           Network                                                      Software development           $73,000\n Directorate                                      Contracted personnel\n                    Connected to a Defense\n                    Information Systems\n                    Agency mainframe\n                    computer\n AMCOM              A local area network with     6 program specialists          Network Administration         Estimated to be\n Security           2 servers for accessing                                                                     as much as\n Assistance         DoD and Army mission          1 logistician                  Help Desk support              $490,000\n Management         applications.\n Directorate                                      1 management assistant\n\n                                                  Contracted personnel\n\n\nSource: Discussions with information technology points of contact within each Organizational Element or Tenant activity\n\n                                                                   19\n\x0c                                                                                                                  Information\n                                                                                                                  Technology\n                         Extent of System                                                                         Funds\n Organization              Involvement                    Assigned Staff                Types of Services         for FY 2001\n AMCOM              Redstone Arsenal Campus        2 security specialists           Information assurance         Identified\n Intelligence       Area Network.                                                                                 $60,000\n                    Information assurance          Contracted personnel\n and Security\n Directorate        focal point for Redstone\n                    Arsenal\n AMCOM              Local area network with        8 computer specialists           Network administration        Estimated to be\n Test,              18 to 20 servers                                                                              more than\n                                                   3 data or information            Intranet hosting              $1.2 million\n Measurement,       3 Unix computers to            management specialists\n and Diagnostic     support mission databases\n Equipment                                         1 accounting specialist          Application development\n Activity           Intranet network with          1 administrative assistant\n                    worldwide users\n                                                   Contracted personnel\n\n AMCOM              Local area network and e-      1 systems management             Help Desk support             Identified\n Resource           mail servers                   analyst                                                        $5,250\n Management\n                    Mission applications on a      Contracted personnel\n Directorate\n                    mainframe computer at the\n                    Defense Finance and\n                    Accounting Service,\n                    St. Louis\n Program            An enterprise network          13 people in various job         Network support               Identified $2.6\n Executive          linked to:                     series                                                         million\n Office for                                                                         System security\n                    Local area networks            Contracted personnel\n Tactical\n                    individually owned and\n Missiles and\n                    operated by each program\n Smart\n                    management office\n Munitions\n                    The Redstone Arsenal\n                    Campus Area Network for\n                    worldwide connectivity\n Program            Wide area network and e-       1 person responsible for         Network support Intrusion     Estimated to be\n Executive          mail, database servers,        information technology           detection                     as much as\n Office for Air     security intrusion detection                                                                  $3.5 million.\n and Missile        devices, and applications      Contracted personnel             Reporting security\n Defense                                                                            certifications and\n                    Communications services,                                        accreditation\n                    automated data processing\n                    maintenance, and internet                                       Policies, procedures, and\n                    received from AMCOM                                             management controls\n Army Materiel      Local area network             50 computer specialists          Network support               Estimated to be\n Command                                                                                                          as much as\n                    28 servers for mail,           6 information specialists        Technical support on          $27.6 million\n Logistics\n                    database, and management                                        specific projects\n Support\n                    applications                   20 additional people in\n Activity\n                                                   various job series\n                                                   Contracted personnel\n Deputy for         Redstone Arsenal Campus        2 persons responsible for        Staff and technical           Estimated to\n Systems            Area Network                   information technology           assistance                    more than $2.8\n Acquisition                                                                                                      million\n                    Each program office            Contracted personnel\n                    operated and maintained\n                    its own hardware\n                    Note: The Deputy for\n                    Systems Acquisition was\n                    disbanded in November\n                    2001\nSource: Discussions with information technology points of contact within each Organizational Element or Tenant activity\n\n                                                                20\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications and Intelligence)\n\nDepartment of the Army\nAssistant Secretary of the Army (Acquisition, Logistics, and Technology)\nAssistant Secretary of the Army (Financial Management and Comptroller)\nInspector General, Department of the Army\nAuditor General, Department of the Army\nChief Information Officer, Department of the Army\nCommander, Army Materiel Command\n   Commander, Army Aviation and Missile Command\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                           21\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on Government\n  Reform\n\n\n\n\n                                           22\n\x0cDepartment of the Army Comments\n\n\n\n\n                    23\n\x0c24\n\x0c25\n\x0c26\n\x0c27\n\x0c28\n\x0cTeam Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector for Auditing of the\nDepartment of Defense prepared this report. Personnel of the Office of the Inspector General of\nthe Department of Defense who contributed to the report are listed below.\n\nMary L. Ugone\nCharles M. Santoni\nDavid M. Wyte\nStephen J. Bressi\nRobert R. Johnson\nLeann A. Alwood\nJohn R. Huddleston\nJacqueline N. Pugh\n\x0c'